The IT Department of a financial institution decided to implement preventive controls to avoid potential security breaches. Therefore, they separated the development, testing, and operating equipment, secured their offices, and used cryptographic keys. However, they are seeking further measures to enhance their security and minimize the risk of security breaches. Which of the following controls would help the IT Department achieve this objective?
Diana works as a customer service representative for a large e-commerce company. One day, she accidently modified the order details of a customer without their permission. Due to this error, the customer received an incorrect product. Which information security principle was breached in this case?
Scenario 3: Socket Inc. is a telecommunications company offering mainly wireless products and services. It uses MongoDB, a document model database that offers high availability, scalability, and flexibility.Last month, Socket Inc. reported an information security incident. A group of hackers compromised its MongoDB database, because the database administrators did not change its default settings, leaving it without a password and publicly accessible.Fortunately, Socket Inc. performed regular information backups in their MongoDB database, so no information was lost during the incident. In addition, a syslog server allowed Socket Inc. to centralize all logs in one server. The company found out that no persistent backdoor was placed and that the attack was not initiated from an employee inside the company by reviewing the event logs that record user faults and exceptions.To prevent similar incidents in the future, Socket Inc. decided to use an access control system that grants access to authorized personnel only. The company also implemented a control in order to define and implement rules for the effective use of cryptography, including cryptographic key management, to protect the database from unauthorized access. The implementation was based on all relevant agreements, legislation, and regulations, and the information classification scheme. To improve security and reduce the administrative efforts, network segregation using VPNs was proposed.Lastly, Socket Inc. implemented a new system to maintain, collect, and analyze information related to information security threats, and integrate information security into project management.Based on the scenario above, answer the following question:Which security control does NOT prevent information security incidents from recurring?
Socket Inc. has implemented a control for the effective use of cryptography and cryptographic key management. Is this compliant with ISO/IEC 27001? Refer to scenario 3.
Can Socket Inc. find out that no persistent backdoor was placed and that the attack was initiated from an employee inside the company by reviewing event logs that record user faults and exceptions? Refer to scenario 3.
Scenario 1: HealthGenic is a pediatric clinic that monitors the health and growth of individuals from infancy to early adulthood using a web-based medical software. The software is also used to schedule appointments, create customized medical reports, store patients’ data and medical history, and communicate with all the involved parties, including parents, other physicians, and the medical laboratory staff.Last month, HealthGenic experienced a number of service interruptions due to the increased number of users accessing the software. Another issue the company faced while using the software was the complicated user interface, which the untrained personnel found challenging to use.The top management of HealthGenic immediately informed the company that had developed the software about the issue. The software company fixed the issue; however, in the process of doing so, it modified some files that comprised sensitive information related to HealthGenic’s patients. The modifications that were made resulted in incomplete and incorrect medical reports and, more importantly, invaded the patients’ privacy.Based on the scenario above, answer the following question:Which of the following indicates that the confidentiality of information was compromised?
